I have a managed bean with 2 attribute: userName & password (with its respective getters and setters methods), and a login() method that access the database to verify login credentials.
My question is, when the user clicks the "login" button, the action must go through https protocol. How can I achieve this with JSF 2?
Also, if I want to have some Faces to be protected (under https protocol), how do I achieve this? Is there a filter that enables me to do this?
Thanks in advance.
You can define a security constraint in the web.xml of your application:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureConnection</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint/>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Adapt the url-pattern to contain your login page and all other secured pages. The use of https is defined by the user-data-constraint.
From the Java EE tutorial:
If you specify CONFIDENTIAL or INTEGRAL as a security constraint, it generally means that the use of SSL is required and applies to all requests that match the URL patterns in the web resource collection, not just to the login dialog box.
If you wrote your own login() method and are using Glassfish, you could take a look at container-based authentication with a JDBCRealm as alternative login approach.
